Learning Center
Plans & pricing Sign in
Sign Out



									hands-on workbook                                                           lockdown 2007

Pii Information and Exercises
    1. Wisconsin Act 138 “Notice of unauthorized acquisition of personal information”
        Comments: Defines data custodian notification responsibilities upon the
       unauthorized release of certain personal information including but not limited to
       social security number, drivers license and bank account information. One aspect
       is the 45 day window for sending out notifications upon learning of a release.

    2. Cornell Spider
        Comments: One of the most widely referenced open source pii scanning tools.
       There are versions available for Windows, Linux and MacOSx.

    3. Senf
        Comments: The Sensitive Number Finder, written in java. SenfNet is the GUI
       port for Windows.

    4. PowerGREP
       Comments: Commercial software ($149). Allows for searches against user
       entered complex regular expressions (additional information on regular
       expressions can be found at

    5. Additional tools
          a. Identity Finder
              Comments: $39.94 per license for the Home Edition. Fully featured gui
              that includes functions to help securely delete any found pii that is no
              longer needed.
          b. Asarium
              Comments: Commercial software. An agent-server option available and
              can be used to quantify risk on desktops by considering pii found and
              security settings, eg last time anti virus was updated, etc.
          c. Find_SSNs

August 9, 2007                                                                Page 1 of 14
hands-on workbook                                                         lockdown 2007

                 Comments: Open Source, written in Python with Windows binaries

    1. Cornell Spider
          a. Find Spider shortcut on the Windows XP Lockdown image Desktop and
          b. Find “Configure” tab and then “Settings”
          c. Find “Star dir …” and confirm path chosen (highlighted) is:
             C:\Documents and Settings\Administrator\Desktop\RestrictedTest
          d. Find “Types” and confirm “All accessible files” is checked
          e. Find “Options” and confirm “Scan whole file” is checked
          f. Find “Runtime” and uncheck “Fast Matching”
          g. Find “Regexes” and confirm Social Security and both credit card choices
             are checked.
          h. Find “Logging” and confirm “Write a local log file” is checked and
             contains “C:\SPIDER.LOG”. Confirm “Attributes to log” checks include
             “Path”, “Total matches”, “Match fragment” and “Regex”
          i. Click “Save”
          j. Click “Run Spider” and enter a 16 character password
          k. Click “File” and “View Log” and choose (highlight) C:\SPIDER and then
             Open and supply the 16 character password entered above

Q1: What files did Spider find with SSN and Credit Card data?

Q2: How many SSN matches were found in “Fake Names and SSNs.txt”?
      HINT: Look at last comma-delimited column for this answer in SPIDER.LOG

Q3: Find the directory shortcut “RestrictedTest” on the Desktop and double click.
Double click on the file “Fake Names and SSNs.txt” and by inspection how many
SSNs are contained in this file?

Q4: Does SPIDER.LOG list 987-65-4326 as being found in “Fake Names and

Q5: Find the directory shortcut “RestrictedTest” on the Desktop and double click.
Double click on file called “email”. Does this file contain SSNs and how can we
confirm with Spider?
   HINT: Highlight the “email” file, right click and then choose “Funduc Extensions”
   and then Decode and answer “Yes” and then “No” to view. Now re-run Spider.

    2. SenfNet
          a. Find SenfNet shortcut on Desktop and launch
          b. Click “Browse” for “Root Scan Path” and choose (highlight)
             C:\Documents and Settings\Administrator\Desktop\RestrictedTest
          c. Change “Minimum number of matches” to 1

August 9, 2007                                                              Page 2 of 14
hands-on workbook                                                                                                       lockdown 2007

         d. Click “Scan”
Q6: What files were found?

     3. PowerGREP
           a. Find PowerGREP shortcut on Desktop and launch
           b. Close initial PowerGREP splash screen
           c. Under File Selector choose (highlight)
           C:\Documents and Settings Administrator\Desktop\RestrictedTest
                                                                ncom pki e™ ed a s
                                                                     r Tm
                                                                     c         n
                                                        TI FF( U Q ui essed) dcom pr esor
                                                                e               s c
                                                           ar e neded t osee t hi pi t ur e.

            and click the                                                                      button (located above)
                                                                               cTm        d
                                                                            Q ui ki e™ an a
                                                                  TI FF( U       e         o
                                                                          ncom pr ssed) decm pr esso r
                                                                          e               s ct
                                                                     ar e neded t osee t hi pi ur e.

         d. Confirm the       button (Search through archives) is selected
         e. Under “Action” and “Search:” type \d{9}
         f. Choose “Quick Search”
Q7: What files were found?

                            cTm       d
                         Q ui ki e™ an a
                    ar e ncom essed) espi t pr ess
                 TI FF( U ededpr osee t dcom ur e. or
                         e      t       hi c

Q8: Click the    button (Search through binary files) and re-run the “Quick
Search”. What additional files were found?

Q9: Re-run this search but click “Search” instead of “Quick Search”. Do you see
987-65-4320 found in the PRIAMOS_Data.MDF file? Does it show what SQL table
this ssn is located?

Q10: Change the Search: expression from: \d{9} to: \d\d\d-\d\d-\d\d\d\d and click
“Quick Search” Was the file Fake Names and SSNs.pdf found?

August 9, 2007                                                                                                            Page 3 of 14
hands-on workbook                                                            lockdown 2007


Q1: Ans:
      Fake Names and SSNs.doc
      Fake Names and SSNs.txt
      Fake Names and SSNs.xls
      Fake names and
      Fake credit card numbers.txt

Q2: Ans: 7

Q3: Ans: 8

Q4: Ans: No.
      By default this version of Spider is configured to show only the first hit with the
      surrounding data. Try this to see all of the matches:
      a) Quit Spider. Right click Spider icon on the Desktop and choose “Properties”
          and then enter a Space and then: /F at the end of line in “Target”. Click OK
          and then Launch Spider.
      b) Find “Configure/Settings/Runtime” and confirm “Fast Matching” is
      c) Find “Logging” and check only “Path”, “Regex”, “Match fragment” and
          “Total Matches” under “Attributes to log”
      d) Click “Save” and “Run Spider”
      e) In viewing SPIDER.LOG, you should find this fake ssn now listed.

Q5: Ans: Yes, the attachment “Fake Names and SSNs-Email.doc” does contain SSNs.

Q6: Ans: Fake credit card numbers.txt and PRIAMOS_Log.LDF

Q7: Ans: Fake credit card numbers.txt, Fake Names and SSNs.txt and
      fake names and

      This data is from Microsoft SQL database files

Q9: Ans: Yes, the ssn was found but the SQL table name is not shown.

Q10: Ans: Yes

August 9, 2007                                                                  Page 4 of 14
hands-on workbook                                                      lockdown 2007

SQL Injection
What is SQL Injection?

“An attack technique used to exploit web sites by altering backend SQL states
through manipulating application input”
       -Web Application Security Consortium Glossary

SQL Injection happens when a developer accepts user input that is directly
placed into a SQL Statement and doesn’t properly filter out dangerous
characters. This can allow an attacker to not only steal data from your database,
but also modify and delete it. Certain SQL Servers such as Microsoft SQL
Server contain Stored and Extended Procedure (database server functions). If an
attacker can obtain access to these Procedures it may be possible to
compromise the entire machine. Attackers commonly insert single quotes into a
URL’s query string, or into a forms input field to test fro SQL Injection. If an
attacker receives an error message like the one below there is a good chance
that the application is vulnerable to SQL injection

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the
keyword 'or'.
/wasc.asp, line 69

                           PRIAMOS SQL Injection Scanner

PRIAMOS is a SQL Scanner & Injector

You can search SQL Injection vulnerabilities and inject vulnerable strings to get
all Databases, Tables and Column data with the PRIAMOS SQL injector.

You should only use PRIAMOS to test the security vulnerabilities of your own
web applications.


    1. Click Search Injection Tab
    2. Input URL into Address Bar
           a. Example URL
                   i. http://localhost/product.asp?ID=1
                  ii. Use ID numbers 1-10 to see different results

August 9, 2007                                                           Page 5 of 14
hands-on workbook                                                              lockdown 2007

    3. Click Search
    4. You will notice URLs appearing in the large box
           a. Next to the URL you will see [FOUND] indicating a vulnerability
           b. Click a vulnerable URL

    5. Click the Injector Tab
    6. Click Start (next to Address bar)
    7. Click Get Databases
    8. Click a Database
    9. Click Get Tables
    10. Click a Table
    11. Click Get Colums
    12. Click Get Data
If Excel is available you can export the data to an Excel file. By clicking Export to Excel.


You will likely notice that PRIAMOS is not always able to display the column and data
information. We have noticed through our testing that conditions for PRIAMOS to work
properly need to be optimal. Also, PRIAMOS requires the backend database be a
Microsoft SQL server. However, PRIAMOS is a very basic Point-and-Click application.
Many SQL Injection tools allow you to manipulate the query strings, which in turn allow
the attacker to more thoroughly exploit and scan the application.

Caveats aside, if PRIAMOS, a very basic Point-and-Click utility is able to inject a site, a
more powerful tool would be able to get much further. Therefore, PRIAMOS in its
current state is a very good once over scanner. If you turn up vulnerabilities that
PRIAMOS can exploit in any way its likely hackers with more advanced tools could do
much more significant damage.

Where to get PRIAMOS?

Link to Project

Link to Demo

Link to Download

Additional Resources

1. A great technical review of sql injection can be found:

August 9, 2007                                                                   Page 6 of 14
hands-on workbook                                                               lockdown 2007
Lab: Using the above instruction fill in the following table found in the PRIAMOS
Database… (If the PRIAMOS DB does not show up, get tables on the four DBs,
then search a new query string. The PRIAMOS DB should then show.)

Ssn                             Name

Answer Key:
Ssn                             Name
987654321                       Kim Johnson
987654320                       Joe Smith
987654325                       Alex Thompson
987654326                       Alex Smith-Jones
987654323                       Alex Lee
987654322                       Alex Jones
987654324                       Alex Grant

Additional Exercises – Using Internet Explorer to perform SQL Injection

1. Try a sql injection manually with IE. Launch IE and then type in the following URL:
(type everything below into the address bar) union all select 'a',name,'a',ssn from customer where

Q1: What name and ssn is returned?

A1: Joe Smith 987-65-4320 Please note that the sql command "union" allows the
attacker to see a different table ("customer") than the application is using ("products").

2. A scan was run using a commercial product called WatchFire AppScan
against the product.asp page. Please locate the pdf file WatchFireScanReport
on the desktop. Read through the file and determine if WatchFire AppScan
found sql injection within the product.asp page.

August 9, 2007                                                                    Page 7 of 14
hands-on workbook                                                               lockdown 2007

Sysinternals tools and F-secure Blacklight
All of the Sysinternals tools can be obtained from Microsoft (free of charge) at:

The Sysinternals toolset consists of a large number of utilities that have been designed
to assist people in managing, tweaking and troubleshooting their computers. Fortunately
for us, a large number of these tools excel at finding items that a malicious person meant
to keep hidden from you.

While there are many utilities in this toolset, we’ll focus on the tools that most help us
when we are investigating what is going on.

Streams (

Streams is used to locate alternate data streams in an NTFS file systems. Alternate
Data Streams (ADS) can (and are) attached to files in an NTFS file system and are
typically used by the operating system to store metadata and thumbnail images of the
files that they are attached to. While you cannot see the ADS normally, this utility can
find them and delete them if requested. Streams will examine the files and directories
(note that directories can also have alternate data streams) you specify and inform you
of the name and sizes of any named streams it encounters within those files.

    1. Open up the command prompt (streams is a command line tool) and change to
       the directory c:\tools\sysinternals
    2. Run the following command to search the entire image for ADS: “streams –s c:\”
           a. Notice the ADS’s that are listed that have a “.txt” file attached to them?
               Did the operating system put them there? Take a look at them using
               notepad. Make sure you use it from the command line and enter the
               entire path of the file you are looking for.
           b. Did you find anything interesting? Try entering “notepad
               c:\windows:jumble.txt” to get you started.

TCPView (

This utility gives a thorough listing of all TCP and UDP endpoints on your computer and
it will also display the state of TCP connections. For the most part, this program
behaves much like the command line tool “netstat”, but it provides more information than
the windows version of this tool does. Along with showing the TCP and UDP endpoints,
TCPView also shows the name of the process that is responsible for the endpoint.

        1. On the Desktop, open up the “tools” shortcut and then open up the
           “sysinternals” folder. Find the program “TCPView” and run it.
        2. Look at all the processes that are listening on network endpoints. See
           anything unusual?

            Look for the process labeled <non-existent> that has port 100 open. This is
            definitely not normal.

August 9, 2007                                                                      Page 8 of 14
hands-on workbook                                                               lockdown 2007

Autoruns (

Autoruns shows you what programs are configured to run when the computer is booted,
when the computer is logged into, or when Internet Explorer is started. This program
looks in a large number of locations in which programs are known to be started from. In
addition to listing what can be loaded, Autoruns also displays information about the file
that is being loaded, including who signed the file and the location of the file being
loaded. This utility also has the ability to disable the loading of the file.

        1. On the Desktop, open up the “tools” shortcut and then open up the
           “sysinternals” folder. Find the program “Autoruns” and run it.
        2. You will be presented with a daunting view of all of the items that can be
           configured to run on the computer – This is the “Everything” view.
        3. Remember that annoying toolbar in Internet Explorer? It attaches itself to
           Internet Explorer as a Browser Helper Object. If you would like to disable it,
           go to the tab labeled “Internet Explorer” and find where it is being loaded.
           Note: This does not uninstall the BHO, but it does disable it, giving you the
           opportunity to remove it the rest of the way.

            Look for the item named Mirar – this is the BHO responisible for the toolbar.
            Also try looking around for listings where there is no associated file with it.


Like its name implies, RootkitRevealer is designed to detect a large number of rootkits,
including all “persistent” rootkits published at Persistent rootkits are
ones that are designed to hide files, services, or registry keys from the user.
RootKitRevealer can detect the presence of this type of rootkit (HackerDefender is a
classic example) It works by comparing the information that it gets from the Windows
API to the raw information that it finds on the file system. Whenever RootKitRevealer
finds something that isn’t listed in the Windows API but exists in the raw information, it is

Note that RootKitRevealer can detect the presence of a rootkit, but it cannot remove it.

        1. On the Desktop, open up the “tools” shortcut and then open up the
           “sysinternals” folder. Find the program “RootKitRevealer” and run it.
        2. Click on the button “Scan” in this tool and let RootKitRevealer do the rest.
        3. If everything is normal, you should see only see output that is described as
           “Key name contains embedded nulls”. If there is something amiss, you will
           output that is labeled “Hidden from Windows API.” What do you see?

            You should find a couple of files, including hxdf100. This is HackerDefender.
            The file nc.exe is responsible for the mystery process that you saw in

Normally, if you find a rootkit, you should not try to clean the system with the intention of
putting it back in service. The system should be restored from a known good backup.
However, if you want to disable the rootkit so that you can continue investigating, give
Blacklight from F-Secure a try:

August 9, 2007                                                                     Page 9 of 14
hands-on workbook                                                             lockdown 2007

Blacklight (

Blacklight from F-Secure is another take on detecting rootkits. While it uses many of the
same techniques as RootKitRevealer, Blacklight goes one step beyond and allows you
to remove the rootkit by giving you the option to rename the malicious files.

        1. On the Desktop, open up the “tools” shortcut and then open up the “fsecure”
           folder. Run the program “fsbl” and accept all the licenses that appear.
        2. Tell Blacklight to Scan the computer to find the files that RootKitRevealer
        3. After the scan finishes, how many hidden items did you find?
        4. To remove the hidden items, proceed to step 2 by clicking on “Next”.
        5. You will now see a list of what was hidden. To remove them, highlight the
           item and hit the “Rename” button. You will need to do this for all of the files
           you want to clean. Note: Be careful of what you rename. It is possible that
           system files may show up here as well!
        6. Click Next to rename the files.
        7. After the files are renamed, reboot the computer as instructed.

The rootkit should now be removed from memory, but keep in mind that the files have
not been deleted, merely renamed! To thoroughly remove the rootkit (in this case
HackerDefender), you need to find the files that have had “.ren” added to the filename.

After you have removed the rootkit, you should check your system again for private
information, using Spider, PowerGREP, or other tools. You never know what else the
rootkit was hiding. Likewise, you should look through the output of Autoruns,
RootKitRevealer, and TCPView to make sure that there are no surprises there.

August 9, 2007                                                                  Page 10 of 14
hands-on workbook                                                              lockdown 2007

Shutdown your windows VM and boot the Linux guest VM in vmware. The remaining
two groups of exercises with tripwire and wireshark will be done on Fedora Linux.

Log in as user ld07, password Guess.Me!
Open a terminal window. (Applications  Accessories  terminal)
Obtain a root shell in a useful place by:
               sudo bash
               cd /usr/local/secure

Hints: the tripwire, twprint, and twadmin commands all respond to an argument of –
help. You can read man pages by man share/man/man8/XXXX.8, e.g
       tripwire –help
       man share/man/man8/twadmin

tripwire exercise 1:                  run a (noisy) report
        tripwire –m c –r /tmp/run1.twr > /tmp/run1.out
        less /tmp/run1.out

Notice lots of changes since the initial DB build. In particular, the addition of an
unwanted suid root program /bin/

tripwire exercise 2:                   DB update
        export VISUAL=nano # optional
        tripwire –m u –r /tmp/run1.twr –Z low

Change the [x] to [-] at the beginning of the unauthorized /bin/ line. (Changes
marked with [x] are going to be accepted into the tripwire checksum DB.)
Write out the changed report file.
When prompted, enter the local (DB) passphrase:
       eacH machinE signS itS own DB

Run another report to verify your changes were accepted:
               tripwire –m c > /tmp/run2.out
               less /tmp/run2.out
You should see only 3 or so changed files, one in /tmp, one in /home/ld07, and the
offensive /bin/ file.

tripwire exercise3:                           detect a new change
      nano /etc/bashrc             # add a comment
      rm /bin/
      tripwire –m c –r /tmp/run3.twr > /tmp/run3.out
      less /tmp/run3.out
You should see a change noted to /etc/bashrc.

August 9, 2007                                                                   Page 11 of 14
hands-on workbook                                                             lockdown 2007

tripwire exercise 4:                         policy file update
        nano etc/twpol.txt
                # delete the rpm rules paragraphs
        tripwire –m p –Z low etc/twpol.txt
Enter the local and site passphrases as needed.
        local: eacH machinE signS itS own DB
        site: shareD administratioN oF multiplE hostS
        tripwire –m c
Note that by specifying –Z low we automatically accepted all the pending changes, so it is
no longer warning us about /bin/, which is bad – we lost information about a
compromise. Also note that it didn’t install the new policy file until after the DB update,
so to get a quiet tripwire check and a safe update, the best practice is:
    1. tripwire –m c …
    2. (clean up unwanted files)
    3. tripwire –m u …
    4. tripwire –m p –Z high …
    5. tripwire –m u

tripwire –                           extra credit
twprint offers 5 levels of increasingly detailed output numbered from 0 to 4. Compare
the output from different values of N using
        twprint –m r –t N -r /tmp/run3.twr

View the live configuration and policy files using:
       twadmin –m c
       twadmin –m p
Does the output match the unsigned text versions? Best practice is to put the text
versions into souce code management system such as subversion and then delete them.

Use twprint on some of the report files under /usr/local/secure/lib/tripwire/report. The
report files are named according to a pattern host-date-time. Which runs produced them?

Try tuning the policy file to have 0 missing file errors when running tripwire –m c

more information


August 9, 2007                                                                 Page 12 of 14
hands-on workbook                                                          lockdown 2007

Wireshark is available in the Linux image, applications pull down menu, internet
selection. Load file “Captured packets” from the desk top. Answer the questions below
from packets in the capture file. Some of the questions cannot be answered from packets
in the capture file. Hints and answers are in italics. The packet capture file contains
more than one session of the types below. I just listed one session.

1. Find a telnet session.
       Starting date and time and packet number? June 15, 15:09:39, 3941
       Client IP address?
       Client MAC address? 00:06:5b:bd:5b:d8
       Server IP address?
       Server MAC address? 08:00:20:b0:75:ca
       Login used? demo
       Password? a1b2c3d4

2. Find an ssh session
       Starting date and time and packet number? June 15, 14:59:28, 3417
       Client IP address?
       Client MAC address? 00:06:5b:bd:5b:e0
       Server IP address?
       Server MAC address? 08:00:20:b0:75:ca
       Login used? encrypted so can’t tell
       Password? encrypted so can’t tell

3. Find a DHCP session. Look for a DHCP session that starts with a DHCP discover
       Starting date and time and packet number? June 28, 10:32:55, 9629
       Client IP address assigned by server?
       Client MAC address? 00:0b:bd:05:41:05
       Server IP address?
       Server MAC address? On a different subnet so can’t tell
       Role of DHCP relay
       Role of DHCP relay
       Lifetime of IP address assignment? 12 hours
       IP address requested by client?

4. Find an HTTP session.
       Starting date and time and packet number? June 15, 15:00:14, 3570
       Client IP address?
       Server IP address?
       URL fetched?

5. Find an HTTPS session. Look for TCP port 443.

August 9, 2007                                                              Page 13 of 14
hands-on workbook                                                          lockdown 2007

       Starting date and time and packet number? July 18, 14:42:10, 14156
       Client IP address?
       Server IP address?
       URL fetched? encrypted so can’t tell
       Answers to forms? encrypted so can’t tell
6. Find a Windows computer boot Look for NETBIOS protocol
       Starting date and time and packet number? July 13, 11:50:42, 11366
       MAC address? 00:b0:d0:54:5d:35
       IP address?
       Where did it get the IP address? Picked at random because DHCP failed
       Windows name? EARTH
       Windows workgroup? VLSI

7. Find an ICMP ping conversation.
       Starting date and time and packet number? June 15, 15:00:58, 3821
       Requesting IP address?
       Answering IP address?

August 9, 2007                                                              Page 14 of 14

To top